The PCI Security Standards Council have just released version 2.0 of PCI-DSS, the Data Security Standard enforced upon all merchants that accept any form of card payments, designed to secure and protect cardholder details.  Although introducing only minor alterations, the main intention of the amendment is to provide greater clarity and flexibility for small merchants, facilitating a more comprehensive understanding of the requirements that must be satisfied under PCI DSS and making them easier to implement and abide by.

From a long term perspective, the amendments made are designed to help merchants manage evolving risks and data security threats whilst maintaining alignment with industry best practices.  Taking a higher level perspective, the main changes cover:

• Reinforcement of the need to conduct thorough scoping exercises, so that merchants can identify exactly where their cardholder data resides in the business.
• The need for more effective log management of credit card data within the business.
• Allowance for organisations to adopt a more risk based approach when prioritising vulnerabilities, taking into account their specific circumstances.
• The acceptance of unique business environments and accommodation of their specific needs.

More specifically Jonathan Lampe, VP of Product Management at Ipswitch File Transfer and representative of the PCI Security Council has identified the 5 key changes that will directly effect the transfer of sensitive credit card data:

• Explicit recognition of SFTP  as a secure protocol.
• Audit of virtual machine infrastructure and virtualisation hypervisors will be brought within the scope of PCI DSS.
• Rotation requirements for the purposes of key management will be “based on industry best practices and guidelines” rather than an annual stipulation.
• Identity and authentication requirements for users, “non-consumers” and administrators will be split further.
• More specific requirements will be implemented around the auditability and security of timekeeping, especially as recorded in audit logs.  (Coordinated and reliable timestamps are helpful during civil and criminal investigations as well as internal forensics investigations.)

A further step taken by the PCI council to help small merchants achieve the latest 2.0 PCI-DSS changes is the introduction of a small microsite.  The implementation life-cycle the of PCI Council’s standards will be extended from the current 2 years to 3 years to give merchants plenty of time to make the necessary changes.  The new 2.0 standard will be effective from 1st January 2011, however validation against the previous 1.2.1 standard will be allowed until 31st December 2011.

For more information regarding PCI DSS compliance and how this can be achieve in terms of secure file transfer, please don’t hesitate to contact the team at Pro2col on 0333 123 1240.

Recent reports have highlighted that hospitals and physicians in the US have been given a deadline of 2015, to convert all health records into digital form and then, to deploy the accompanying technology to handle these digital assets.  Considering only about a quarter of the US population’s health records are digitally stored – this is a bit of a tall order!

Makes you wonder whether, no lets rephrase that, WHEN the UK will follow in their footsteps.  For those organisations operating in the health sector, it may be wise to start reviewing the security and efficiency of you’re file transfer systems now, especially when you take into account the increased ICO powers of enforcement due to come into effect on 6th April 2010.  If a similar mandate were to come into force in the UK, in order to avoid possible fines of up to £500,000 organisations would need ensure that sensitive client files were secured when being transported between locations.

If your a health care organisation and you want to review or evaluate your large file transfer processes, please get in touch with the team at Pro2col on 0333 123 1240.  We offer a comprehensive range of secure file transfer solutions and we’re always happy to help.

With the sheer abundance of security standards, laws and legislation in our society nowadays, it’s really easy to get overwhelmed.  Although a necessary measure to safeguard individual’s confidential information and protect your business against prosecution, it can be difficult to fathom which laws apply to your organisation.

To complicate matters further, legislation varies between continents, in the US even between states!!  As a result, we have put together a succinct guide detailing some of the most high-profile legislation governing the US and UK in terms of secure file transfer, including some standards that are recognised internationally.  These include acts such as The Health Insurance Portability Act (HIPAA), Sarbanes Oxley (SOX), Gramm-Leach-Bliley and The Data Protection Act, as well as industry standards like FIPS and ISO 27001.

Unfortunately it doesn’t end there.  Once an organisation has established which legislation applies to their business, they then have to make sure that their systems and procedures are actually compliant!  Thankfully, accompanying the majority of legislation is compliance testing – a sure-fire way to guarantee investment in technology and solutions that meet the secure file transfer requirements stipulated by government.

If you would like to discuss security compliance in terms of secure file transfer solutions, don’t hesitate to get in touch – we are happy to provide advice and support.

As I’m sure (or hope) you may have spotted in the news, we have recently added Biscom’s secure, Ad Hoc file transfer solution to our ever expanding product portfolio – another milestone in Pro2col’s endeavor to provide our customers with a wide range of secure, large file transfer solutions to meet their every need.

During our time in the file transfer industry we have spoken to lots of organisations across different industry sectors with a requirement to send large files on an Ad Hoc (or one-off) basis, a need that had been overlooked in the development of many secure file transfer solutions.  Ad Hoc file transfer solutions come into their own on the occasions that you really need to send a large file quickly and simply without the worry or expense of having to involve IT administrators to create or manage end-user accounts.  They will literally allow you to send the file in the same way you would when using an email attachment, minus the problems experienced when using a traditional mail server!

We wanted to take this opportunity to invite all of our readers to a special webinar being held on Thursday 29th October at 2pm (GMT).  Here you will be given the chance to see exactly how the solution works and to ask any questions relating to the Biscom Delivery Server, Ad Hoc file transfer or just secure file transfer in general!

To find our more about exactly what will be covered during the 1 hour webinar, please visit the webinar section of the Pro2col website.

If you are interested in attending please

A great communications tool that previously we’ve underused (we’ve just been so busy!), Pro2col are now active on LinkedIn.  Not only that, we’ve set up the File Transfer Technology Group – a place where we can share ideas and opinions and more importantly, hear what everyone else out there has to say about all issues file transfer.

To date discussions have ranged from file transfer security related…

U.S Congress have enforced acts eg. HIPPA & Sarbanes-Oxley to protect confidential information stored & exchanged throughout businesses & services. Should similar guidelines exist in the UK/EU?

To file transfer protocols…

FTP or peer to peer Portal?

I’d like some feedback from everyone on what they think are the three ‘main’ types of b2b file transfer. Here are my thoughts – have I missed any really obvious ones though?

To what’s in the news…

Accidental insider security incidents more frequent than malicious attacks

Illegal file-sharers could see internet connection cut

The group has only been active for a few weeks now and there are already over 75 members including several Pro2col employees:

James Lewis – Managing Director/Business Guru

Charles Snell – Managing Director/Technical Buff

Lindsay Lewis – Marketing Manager/General Dogs Body

We’d love to hear your thoughts and opinions on any of the above topics.  Even better – if you have a subject you’d like to discuss please join the File Transfer Technology Group and start a discussion – new members are always welcome.

Hope to see you on LinkedIn soon!